Colombian energy, metal firms under fire in new Trojan attack wave

Threat actors have selected three different Trojans to conduct cyberespionage.
Written by Charlie Osborne, Contributing Writer

A wave of attacks against companies in Colombia uses a trio of Remote Access Trojans (RATs) to steal confidential, sensitive data.

The campaign, dubbed Operation Spalax, was revealed by ESET researchers on Tuesday. 

In a blog post, the cybersecurity firm said government and private entities in Colombia are being exclusively targeted by the threat actors, who seem to have a particular interest in the energy and metallurgical industries. 

ESET began tracking the campaign, which is ongoing, in the second half of 2020 when at least 24 IP addresses -- likely compromised devices acting as proxies for the attackers' command-and-control (C2) servers -- were linked to a spate of attacks. 

To begin the infection chain against a target entity, the threat actors use a traditional method: phishing emails. The subjects of these fraudulent messages range from demands to attend court hearings to bank account freeze warnings and notifications to take a mandatory COVID-19 test. 

In some samples, agencies including the Office of the Attorney General (Fiscalia General de la Nacion) and the National Directorate of Taxes and Customs (DIAN) were impersonated.

Each email has a .PDF file attached, linking to a .RAR archive. If the victim downloads the package -- located on OneDrive, MediaFire, and other hosting services -- an executable file within triggers malware. 

The threat actors use a selection of droppers and packers to deploy the Trojan payloads, the purpose of all being to execute a RAT by injecting it into a legitimate process. 

The three payloads are all available commercially and have not been developed in-house by the cyberattackers. 

The first is Remcos, malware available on underground forums for as little as $58. The second RAT is njRAT, a Trojan most recently spotted in campaigns using Pastebin as an alternative to C2 structures, and the third is AsyncRAT, an open source remote administration tool. 

"There is not a one-to-one relationship between droppers and payloads, as we have seen different types of droppers running the same payload and also a single type of dropper connected to different payloads," ESET notes. "However, we can state that NSIS droppers mostly drop Remcos, while Agent Tesla and AutoIt packers typically drop njRAT."

The RATs are able to provide remote access control to the threat actors and also contain modules for keylogging, screen capture, clipboard content harvesting, data exfiltration, and both the download and execution of additional malware, among other functions. 

According to ESET, there are no concrete clues to attribution, however, there are some overlaps with APTC36, also known as Blind Eagle. This APT was connected to attacks in 2019 against Colombian entities in order to steal sensitive information. 

The attacker's use of dynamic DNS services means that the campaign's infrastructure is also constantly changing, with new domain names being registered for use against Colombian companies on a regular basis. 

ESET also noted links to research conducted by Trend Micro in 2019. The phishing tactics are similar, but whereas Trend Micro's report relates to spying and potentially the targeting of financial accounts, ESET has not detected any use of payloads beyond cyberespionage. However, the company acknowledges that some of the targets of the current campaign -- including a lottery agency -- don't appear to make logical sense just for spying activities. 

The cybersecurity firm added that due to the large and fast-changing infrastructure of this campaign, we should expect these attacks to continue in the region for the foreseeable future. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards